104305 2012-12-06 14:27:45 -0800 Scripts injected from an isolated world should bypass a page's CSP 2016-03-23 11:31:45 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED WONTFIX P2 Normal --- 97398 1 mkwst webkit-unassigned abarth bfulgham dbates felipe oldest_to_newest 785272 0 mkwst 2012-12-06 14:27:45 -0800 Following on from https://bugs.webkit.org/show_bug.cgi?id=97398, it would be nice if inline script blocks injected from an isolated world into the page would run as expected. Not sure it's easily possible. :( LastPass, for instance, is a Chrome extension which injects inline scripts to do its thing. Ideally, it wouldn't do that, but it does. 785449 1 abarth 2012-12-06 17:24:03 -0800 I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS. 785660 2 mkwst 2012-12-06 22:54:50 -0800 (In reply to comment #1) > I'd rather than extension authors used scripts from their extension package. Injecting an inline script is likely to lead to XSS. What about out-of-line scripts hosted on origins that the extension's CSP allows? I think we're currently blocking those as well. 827713 3 mkwst 2013-02-07 11:00:53 -0800 Unassigning myself; let's be realistic about what I'm actually working on. :/ 1177394 4 dbates 2016-03-23 11:09:28 -0700 This issue was resolved with the patch for bug #144830. 1177398 5 dbates 2016-03-23 11:23:05 -0700 (In reply to comment #4) > This issue was resolved with the patch for bug #144830. Disregard this remark. Following the patch for bug #144830 subresource loads/JavaScript execution initiated from markup always honor the Content Security Policy of the page regardless of whether such markup was programmatically inserted into the document from an isolated world. That is, markup injected by an extension is not exempt from the Content Security Policy of the page (programmatic resource fetching, say via XHR, is exempt from CSP when initiated in an isolated world). As of the time of writing, we have not heard of any compatibility issues in Safari extension from this change. For completeness, the patch for bug #144830 did exempt user agent shadow DOM markup from CSP because such markup is used to implement browser features and is considered an implementation detail. 1177401 6 dbates 2016-03-23 11:31:45 -0700 I marked this issue RESOLVED WONTFIX because I do not feel we should fix this bug as it encourages a bad idiom. I agree with Adam Barth's remarked in comment #1, we want extension authors to use scripts included in their extension bundle as opposed to programmatically injecting inline script that could make the page susceptible to an XSS vulnerability.